This is a very useful follow-up to Hubbard's previous book "How to
Measure Anything: Finding the Value of Intangibles in Business"
applied to cybersecurity risk. Though this book can be read
standalone, many details are referenced to the previous one, and it
would be good to have a copy at hand for reference. The book
addresses the very important question: Is it really possible to do
anything beyond rating scales when assessing cybersecurity risk?
We're all familiar with variations of high-medium-low and the
sometimes arcane rituals of how to "multiply" a medium rate of
occurrence by a low impact. We've also likely felt vaguely
uncomfortable about doing math on ratings but haven't really had an
alternative.

The authors are quick to assure us that there is a better way that
will allow us to defensibly produce quantitative risk assessments
using the data and knowledge we have (but may not realize we have).

Their techniques relies on simulation - they call it "Monte Carlo"
which would have put my long-ago professor in a computer simulation
course into hysterics: "Monte Carlo is a method for integrating messy
functions not a catchy byword for applying simulation to problems". A
quick Google shows that "Monte Carlo" enjoys wide usage in the sense
used by the authors but I still have the emotional scars from that
course and won't use the term that way.

To do a good simulation, you need reasonable data and the authors
spend a good portion of the book showing that we know a lot more than
we think we do. One of their core techniques is "calibration" which
basically means that when an expert says that something has a
probability of .2 to .4 they really mean it. While that sounds
suspiciously obvious, the authors quote substantial research to show
that experts, in the beginning, really don't believe their estimates
(in the sense of being willing to wager on the outcome) but can be
taught to produce good estimates.

The tool they use for their simulation studies is the spreadsheet
(examples available on the book's website), but rather than creating
another spreadsheet oracle, they clearly explain how the spreadsheet
calculations work so that the astute reader will be able to understand
and defend their conclusions.

There are a couple of pimples on this otherwise excellent
presentation. First is that too much is made of the great frequentist
versus subjectivist divide in the field of statistics. Outside of
academia, I find that the professional statisticians I know (a biased
sample if ever there was one) are frequentists when they can be and
subjectivists the rest of the time. As one of the more waggish
opined: "Whatever makes the math easier". If you must classify
yourself, my advice is to follow the authors and be unabashedly
subjectivist (or Bayesian). The second is the some of the
presentation is frankly polemical and boils down to "If you don't
agree with us then you don't understand statistics at all". The
authors are experts in their field (otherwise we wouldn't be reading
their book) and the research results of applying their techniques
speak for themselves, so the polemics could have been left out with no
loss to the presentation.

Some readers may suffer from a phobia when it comes to statistics and
probability (usually traceable to a bad experience in their first
statistics class). The authors have successfully taught their methods
to audiences from many backgrounds and the book is heavily tutorial in
nature. When you finish working your way through it, you will be able
to stare probability distributions, confidence intervals and other
scary accoutrements of quantitative risk assessment in the eye without
flinching.

This is an awesome book on a critical topic. The decisions we made in
securing our information assets, the infrastructures that support them
and the services that depend on them are too critical for us to depend
on mumbo jumbo when making decisions about risk. The authors make a
forceful case that there is a better way that depends on
comprehensible techniques with a substantial body of research in many
fields behind them. I fervently hope that you will studiously read
this book and apply its techniques in your own work. We and our
profession will be all the better for it.

It has been said "Be careful, for writing books is endless, and much
study wears you out" so Richard Austin has fearlessly sampled the
latest offerings of the publishing houses and opines as to which might
most profitably occupy your scarce reading time.

Fare thee well!

The time has come for your humble correspondent to retire from the
workaday world and start a new phase of life as a professional
grandpa. I have thoroughly enjoyed these ten years of writing book
reviews for IEEE Cipher and want to express my deep appreciation to
you, our readers, the IEEE Computer Society Technical Committee on
Security and Privacy and my longsuffering editor, Hilarie Orman (who has
taught me there is always a better way to say things), for this
once-in-a-lifetime opportunity.

I wish you well as you carry our wonderful profession into the future
and confront the myriad challenges that make this the most interesting
profession on Earth.